GDPR: A Closer Look At A Company’s Stakeholders And Their Obligations

Anyone involved in a company-wide European Union General Data Protection Regulation (GDPR) initiative will probably agree that it can’t be an ad hoc approach; it must be a high-grade, cross-functional program. Typically, GDPR programs involve several work streams running in parallel across multiple business lines and geographies. And no matter how many people and business processes are involved (or what their titles and roles may be), all will fall under one of four major stakeholder groups. In this blog, I’ll detail each group’s primary obligations.

CEO and board of directors

The CEO and board of directors will be interested in:

Impact of GDPR on business processes, top-to-bottom review of relevant privacy data being processed within the business processes; understand risks and challenges as well as new opportunities

Employee training about new requirements, creating awareness of how they should be taking notes and recording information about their customers, prospects, and employees

Protect against GDPR-related fines, impact on directors’ and officers’ liability insurance (also known as D&O insurance); the company’s current GDPR risk exposure

Cost-effectiveness of data. Is the company collecting and accessing more personal data than is needed? Check possibilities of reducing the amount of data gathered, since continued accumulation of silos of unused, and potentially toxic, data increases the need for encryption – which therefore will require more investments

Establishing an accountability framework by adding documentation of current risks and controls for the GDPR regulation into the existing internal controls system

Incorporating a risk-based approach by assessing the “likelihood and severity of risk” of personal data processing operations

For example, “high-risk” processing operations will raise additional compliance obligations, such as data protection impact assessments (DPIAs) and so forth

Encouraging a culture of monitoring and assessing data-handling processes

Data protection officers

All businesses that market goods or services to customers within the EU and collect data must appoint a data protection officer. The DPO works on behalf of the customer’s privacy. Thus, many of a data protection officer’s recommendations will run contrary to the aims of other data roles within the company. The data protection officer (DPO) will:

Keep up on laws and practices around data protection

Conduct privacy assessments internally

Ensure that all other matters of compliance pertaining to data are up-to-date

Be responsible for advising the organization of its obligations and monitoring compliance

Report directly to the highest level of management and have “expert knowledge” of data protection – although the DPO can potentially be outsourced

CISOs, CIOs, and business process owners

These roles generally deal with keeping a company’s data safe and making sure that these troves of data are being exploited to improve business functions across the company. The chief information security officer (CISO)will:

Be responsible for cybersecurity, including monitoring access to personal data and reporting of data breaches

Limit who has access to personal data and make sure that access is authorized and reflects personnel changes that happen within an organization

The chief information officer (CIO) can advise the DPO on technical solutions, and will typically focus on architecture and fulfillment of new rights of the data subject (Chapter 3 GDPR). These new rights include:

Data subject’s consent for processing of personal data, which might be revoked at any time

Data subjects – like customers, subscribers, users, employees, partner, external workforce, and so on – will get extended information rights: the right to correct information, the right to export and transfer, as well as the right to be forgotten

Information that is no longer required to be stored (for legal reasons, for example) is expected to be completely removed from all storage systems

As I stated earlier, actual titles and roles will vary from one organization to the next, but organizations subject to the EU GDPR will need to establish comprehensive programs addressing these key data-privacy areas. The more automated and integrated the program is (with existing business applications, audit, and compliance tools), the more effective, cost efficient, and preventive this program will become.

For more information on the new regulations, read our other GDPR blogs.

Article published by Evelyne Salie. It originally appeared on SAP Analytics and has been republished with permission.

Sharelines

The Digitalist Magazine is your online destination for everything you need to know to lead your enterprise’s digital transformation.

Read the Digitalist Magazine and get the latest insights about the digital economy that you can capitalize on today.

About Evelyne Salie

Evelyne is a highly experienced IT-Solution Principal, Business Developer and Project Manager with over 10 years IT- industry experience within the Governance Risk and Compliance and Finance area of expertise. She currently works as a Senior Director in Business Development at SAP Finance and GRC solutions. In her business development role she is working on concepts and realization for new generation of Finance solutions, running in real time, integrating predictive, Big Data, and mobile, which will change how offices of the CFO work, how the business is run, and how information is consumed.

You can find out more about which cookies we are using or switch them off in settings.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

You can adjust all of your cookie settings by navigating the tabs on the left hand side.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

disable

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

Adobe Analytics

This website uses Adobe Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

disable

Please enable Strictly Necessary Cookies first so that we can save your preferences!